Organizations face increased pressure of maintaining regulatory and/or corporate policy compliance. Many policies (for example, SOX, PCI, GLBA, etc.) require strict management of privileged (typically administrative) accounts. This management includes who has access to these accounts, the purpose for which these accounts are being used and the auditing of the administrative activities while the account was being used. Compliance auditors will ask for proof that these activities are being retained for a certain period of time, actively monitored and acted upon if out of compliance. Thus, an organization may be required to keep track of who is accessing certain system resources and what activities they are performing. However, access to sensitive activities such as modifying configuration files at a system resource is oftentimes restricted to a particular group of physical users such as IT administrators having root access. Typically, such users may login as a privileged user such as the root user using a password dedicated to the root user account. Because more than one physical user may login as the privileged user, it may be difficult to identify the physical user who performed particular activities while logged in as the privileged user. When faced with many hundreds or thousands of servers and millions of administrative/privileged transactions per day this becomes a daunting task for any organization.